Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

POL-1362 Flexera Policy CloudFormation Template Automation #2651

Open
wants to merge 168 commits into
base: master
Choose a base branch
from

Conversation

XOmniverse
Copy link
Contributor

@XOmniverse XOmniverse commented Sep 20, 2024

Description

This PR enables automatic generation of the tools/cloudformation-template/FlexeraAutomationPolicies.template file from permissions listed in the data/policy_permissions_list/master_policy_permissions_list.json file. The latter now includes every AWS policy template that is not deprecated, and as a result, the CFT should now include every AWS policy and always be up to date as we add new policies and make changes to existing policies that affect the required permissions.

NOTE: If the user tries to enable individual inline policies for every policy template, this exceeds the size limit for AWS. To handle this, a special "All AWS policies" entry is added to the top to create a single inline policy for users that simply want to enable everything. This is still restricted to just the permissions needed for Flexera policies and does not grant read or read/write access to everything across the board.

This also removes a duplicate entry from the validated permissions list and corrects a handful of permissions in README files that were not valid and were caught by the CloudFormation Template linter.

Testing

The newly generated cloudformation template has been tested in an AWS environment and works as expected.

@XOmniverse XOmniverse requested a review from a team as a code owner September 20, 2024 19:40
Copy link
Contributor

github-actions bot commented Sep 20, 2024

2 Warnings
⚠️

Important Files Modified

Please make sure these modifications were intentional and have been tested. These files are necessary for configuring the Github repository and managing automation.

.github/workflows/generate-aws-cloudformation-template.yaml
.spellignore

⚠️

tools/cloudformation-template/README.md

Textlint errors found:

10:48 error https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template is dead. (404 Not Found) no-dead-link

11:46 error https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template is dead. (404 Not Found) no-dead-link

✖ 2 problems (2 errors, 0 warnings)

Generated by 🚫 Danger

@nia-vf1 nia-vf1 self-assigned this Sep 24, 2024
@@ -83,7 +89,7 @@ As you follow the official docs, you can use the recommended configurations belo

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot select the line as it is not a part of this change but...

Line 80 says - Under **Maximum concurrent accounts**, choose `Percent` and set field value to `100`.

It should reference 'Failure tolerance' rather than 'Maximum concurrent accounts':
image

Therefore line 80 should read - Under **Failure tolerance**, choose `Percent` and set field value to `100`.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Max Concurrent Accounts and Failure tolerance should be set to "Percentage" and "100" for the value

Copy link
Contributor

@nia-vf1 nia-vf1 Oct 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah but the doc references Max Concurrent Accounts twice, rather than referencing Max Concurrent Accounts once and Failure Tolerance once @bryankaraffa

Copy link
Contributor

@nia-vf1 nia-vf1 Oct 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image
See line 80 compared to line 77

Copy link
Contributor

@bryankaraffa bryankaraffa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should keep revisioning for this PT imo.. for anytime it generates a CFT and there's a diff, create a branch/PR and we can approve it (like the other "automation" workflows we have in this repo).

Also, the publish to S3 workflow logic depends on revisioned copies in the repo:
https://github.com/flexera-public/policy_templates/blob/master/.github/workflows/cfn-publish.yaml
This will need to be changed, or we'll need to keep creating revisioned copied

@nia-vf1 nia-vf1 assigned XOmniverse and unassigned nia-vf1 Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants